You are viewing a plain text version of this content. The canonical link for it is here.
Posted to apache-bugdb@apache.org by Philip Gwyn <ap...@artware.qc.ca> on 2001/10/12 22:12:07 UTC

mod_proxy/8523: When using mod_rewrite and mod_proxy together, REMOTE_ADDR is not useful.

>Number:         8523
>Category:       mod_proxy
>Synopsis:       When using mod_rewrite and mod_proxy together, REMOTE_ADDR is not useful.
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    apache
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          change-request
>Submitter-Id:   apache
>Arrival-Date:   Fri Oct 12 13:20:00 PDT 2001
>Closed-Date:
>Last-Modified:
>Originator:     apach@artware.qc.ca
>Release:        1.3.20
>Organization:
apache
>Environment:
Linux joe 2.2.19 #20 Sat Aug 11 13:19:17 EDT 2001 i686 unknown
gcc version egcs-2.91.66 19990314/Linux (egcs-1.1.2 release)

>Description:
My server is set up as follows : 2 "plain" apache processes listen for incoming connections (one for http, one for https).  When dynamic content is called for,  the request is proxied to an apache process (on port 808 and 809 (for SSL)) that includes mod_perl.

Dynamic content is decided by a bunch of RewriteRules that have [Proxy] flags.  All this works perfectly, but for one point: REMOTE_ADDR and REMOTE_PORT on the mod_perl process has information regarding the "front-end" apache processes, not the remote user's browser.  This means there is no way to use IP for session ID validation and expiration, etc.

The following patch propagates host, port, user and ident information proxied header.  Headers are prefixed with Proxy-  and are then available on the far end as HTTP_PROXY_

>How-To-Repeat:

>Fix:
--- apache_1.3.20.orig/src/modules/proxy/proxy_http.c   Fri Feb  9 07:40:27 2001
+++ apache_1.3.20/src/modules/proxy/proxy_http.c        Thu Aug  2 23:33:28 2001
@@ -353,7 +353,30 @@
             */
            || !strcasecmp(reqhdrs[i].key, "Proxy-Authorization"))
            continue;
+
+               /* send headers we were sent */
        ap_bvputs(f, reqhdrs[i].key, ": ", reqhdrs[i].val, CRLF, NULL);
+   }
+   
+   if(1) {   /* PG: Send the REMOTE_MUTTER stuff as Proxy-Remote-Mutter */
+        const char *host, *rem_logname;
+        conn_rec *c = r->connection;
+            
+        host = ap_get_remote_host(c, r->per_dir_config, REMOTE_HOST);
+        if (host) {
+             ap_bvputs(f, "Proxy-Remote-Host", ": ", host, CRLF, NULL);
+        }
+        ap_bvputs(f, "Proxy-Remote-Addr", ": ", c->remote_ip, CRLF, NULL);
+        ap_bvputs(f, "Proxy-Remote-Port", ": ",
+                      ap_psprintf(r->pool, "%d", ntohs(c->remote_addr.sin_port)
),
+                      CRLF, NULL);
+        if (c->user) {
+            ap_bvputs(f, "Proxy-Remote-User", ": ", c->user, CRLF, NULL);
+        }
+        rem_logname = ap_get_remote_logname(r);
+        if (rem_logname) {
+            ap_bvputs(f, "Proxy-Remote-Ident", ": ", rem_logname, CRLF, NULL);
+        }
     }
 
     ap_bputs(CRLF, f);
>Release-Note:
>Audit-Trail:
>Unformatted:
 [In order for any reply to be added to the PR database, you need]
 [to include <ap...@Apache.Org> in the Cc line and make sure the]
 [subject line starts with the report component and number, with ]
 [or without any 'Re:' prefixes (such as "general/1098:" or      ]
 ["Re: general/1098:").  If the subject doesn't match this       ]
 [pattern, your message will be misfiled and ignored.  The       ]
 ["apbugs" address is not added to the Cc line of messages from  ]
 [the database automatically because of the potential for mail   ]
 [loops.  If you do not include this Cc, your reply may be ig-   ]
 [nored unless you are responding to an explicit request from a  ]
 [developer.  Reply only with text; DO NOT SEND ATTACHMENTS!     ]